Imagine you are sitting in front of your computer and all of a sudden you hear weird sounds coming from your hard drive.
You think, “what happened?” At first glance nothing -- but your browser is open and you don't remember any backup applications being active. Why is your hard drive working so hard? You ponder it and then wave it off, thinking it's probably just some index process running in the background.
A couple of minutes later, when it doesn't stop, you really get paranoid and recall that you don't have a backup plan. Besides, what sort of index process runs in the middle of the day anyway? Quickly you launch your task manager.
After going over the processes one by one, you come to the conclusion that nothing unusual seems to be happening. The only message you get from your anti-virus is an old warning about a copy of netcat you stored on your hard disk from way back when. By now you're pretty much convinced it's nothing and the sounds have disappeared, so it couldn't be anything serious, right?
The root of all evil
Browsers are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers toward implementing advanced features that would enable the creation of a new user experience with features such as personalisation and customisation using interactive multimedia applications. This sets the grounds for a fertile environment in which a new breed of malware can come to life.
Myth or truth?
The integration of AJAX has changed the situation. For example, the combination of a legacy function, a Web 2.0 feature and a simple design flaw led to the birth of Jinx, a true piece of Web 2.0 malware. It can index hard drives and send files out while an unsuspecting victim is surfing websites, and those are only some of its nefarious capabilities.
Is there more to it?
What is worth implementing in such malware? The answer is the LAN-to-WAN bridging attack.
Tab browsing, which is supported by both Microsoft IE 7.0 and Mozilla Firefox Internet browsers, opens the way for LAN-to-WAN bridging. It's common for company employees to open one tab connecting to, say, the enterprise ERP application while the other tab shows an external web page.
This can be exploited by malware that acts as a "proxy" between the organisation's intranet and the outside internet. This means that information and resources can be browsed, manipulated and exported thanks to cached passwords, saved session identifiers and cookies.
The strength of malware based on Web 2.0 technology is its obliviousness to the underlying operating system and architecture on which it is running. It can be implemented through a series of standard API calls and, like a real Web 2.0 application, uses the HTTP protocol as its main channel of communication and information leakage, inheriting the browser's footprint to minimise anomalies transmitted over the network. The potential of such malware is tremendous.
Who's filtering Google?
The Achilles' heel of every piece of malware that "phones home" is its static "drop points" and communication servers upon which it relies. Over time, these IPs typically will be revealed and eventually be blocked, leaving the malware isolated from receiving further commands or transferring new information.
This would return a result group of websites in which, after simple enumeration, would bring up a "random" control site, marked by a unique watermark or subtext invisible to the naked eye -- from which the malware could find further commands.
See original article on SC Magazine US
By Itzik Kotler, security operation centre, Radware on Aug 27, 2008 11:39AM